Using self-signed SSL in Android (Nougat+)

Since the introduction of Nougat (API 24) to Android, a number of changes were introduces on how Android handles trusted certificate authorities (CAs). Before, one only needs to install the self-signed SSL .cer file in the emulator/device Security Settings. Then the app will just simply be able to access your secure endpoints (HTTPS) using the global device settings.

Now, apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

You need to do some additional steps for your app to gain access to the trusted CAs.

1. Convert your .CER file to .PEM file

This is the command to convert the file using the terminal.

openssl x509 -inform pem -in <sslcert.cer> -outform der -out <sslcert.pem>

After you have converted the CER file to PEM, import the PEM file in your res/raw folder.

2. Add a Network Security Config

Create a network_security_config.xml file in y0ur /res/xml folder. Point it to the imported PEM file.

<?xml version=”1.0" encoding=”utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src=”@raw/sslcert”/>
<certificates src=”system”/>
</trust-anchors>
</base-config>
</network-security-config>

3. Add the security configuration in your manifest

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application android:networkSecurityConfig="@xml/network_security_config"
... >
...
</application>
</manifest>

Build, run and voila! You should now be able to reach your secure endpoints.

More resource and details on the links below.

https://developer.android.com/training/articles/security-config.html

https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html